Vulnerability Description
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from 6.5.0 before 6.5.2 (the fixed version for 6.5.x) allows remote attackers who have permission to access a repository, if public access is enabled for a project or repository then attackers are able to exploit this issue anonymously, to read the contents of arbitrary files on the system and execute commands via injecting additional arguments into git commands.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Bitbucket | >= 5.16.0, < 5.16.10 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/154610/Bitbucket-Server-Data-Center-Argumen
- https://jira.atlassian.com/browse/BSERV-11947Vendor Advisory
- https://seclists.org/bugtraq/2019/Sep/43
- http://packetstormsecurity.com/files/154610/Bitbucket-Server-Data-Center-Argumen
- https://jira.atlassian.com/browse/BSERV-11947Vendor Advisory
- https://seclists.org/bugtraq/2019/Sep/43
FAQ
What is CVE-2019-15000?
CVE-2019-15000 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the f...
How severe is CVE-2019-15000?
CVE-2019-15000 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-15000?
Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Bitbucket.